Microsoft has released an advisory regarding a zero-day vulnerability affecting Internet Explorer running in Microsoft Window XP or Microsoft Windows Server 2003. The attack is utilizing an unpatched vulnerability in Microsoft Video ActiveX Control (MSVidCtl.dll) that could allow execution of arbitrary code with the same user rights as the local user. The flawed ActiveX control is used by Internet Explorer, and can be exploited by simply visiting a website containing the malicious code.
Workaround for this vulnerability is to set kill bits for the Microsoft Video ActiveX control as advised on SANS blog. For administrators that wish to block the malicious domains, SANS ISC has also listed the exploit domains in their blog.
Microsoft has not yet released a patch to address this vulnerbility. Detailed information and workaround about this vulnerability is also available at Microsoft Technet Security Advisory.
